Wednesday, May 29, 2013

Setup Samba Domain Controller with LDAP backend in Ubuntu 13.04

We have already shown you how to install and configure a basic Samba server in our previous articles.
Today i am gonna to show you how to install and configure samba domain
controller with LDAP backend i.e the users created in LDAP server can
login to your domain controller.
In this how-to tutorial, my test-box scenario is as follows:

Prerequisites

In order to continue, please make sure that you have installed and configured LDAP server properly. Navigate to this link to install and configure OpenLDAP in Ubuntu server 12.04 / 12.10 / 13.04.
Make sure that you have added the hostname in the /etc/hosts file as shown below.

For the testing purpose, I did a fresh installation of both Ubuntu
13.04 server and Windows 7 professional. Already installed OS might not
be worked as you expected. Though it tested under Ubuntu, it may work on
Debian too. It is not the full fledged how-to, but it should meet your
requirements. Due to lack of resources, i tested this under Oracle
VirtualBox. It is worked for me as i expected. I can’t issue any
assurance that this will work for you. Well let me go further.

LDAP Authentication

Install libnss-ldap package to enable LDAP authentication.

sk@server:~$ sudo apt-get install libnss-ldap

Enter your LDAP server FQDN as shown below and click Ok.
Enter the name of the LDAP search base.
Select the LDAP version and Click Ok.
Select Yes.
Disable LDAP database login by clicking No.
Enter the LDAP root privileged account name and LDAP suffix as shown below.
Enter LDAP admin account password which you have created early while installing OpenLDAP.
Then run the following commands to setup the LDAP profile for NSS and inform your system to use it for authentication.

Configuring LAM

It is possible to create LDAP users from command line and it is a bit
of difficult. So here i am using LAM(LDAP Account Manager) to get
things done much easier and simpler.
LAM, Ldap Account Manager is a GUI tool is used to manage LDAP server. For more about LAM visit the offcial website.
To install LAM, enter the following command in terminal.

sk@server:~$ sudo apt-get install ldap-account-manager

Now you can access the LAM from the browser using “http://ip-address/lam. The default password for lam administrative account is “lam”. You can change it if you wish.
Before login to lam, we must enter our LDAP admin user name and LDAP suffix in lam configuration file. To do so click on the LAM configuration on the right cornet of lam main console.
Click on Edit Server Profiles and enter the default password i.e lam.
Enter the LDAP suffix and admin account details “cn=admin,dc=unixmen,dc=com” in the General Settings page.
Navigate to Account Types page and enter the LDAP suffix details as mentioned above and click Save.
Now you can login to lam using the LDAP root account password.
Click on Create button to create new suffixes.

Creating Users and Groups

Now let us create a sample group called “test” and a sample user called “senthil”.

Create Group

Click on the New Group in the group section. Enter the group name and click save.

Create users

Click on the New User button in the Users section. In the personal tab, enter first name, last name and address details etc.
In the Unix tab, enter the user name, home directory etc.
Now Navigate to Samba 3 tab and click Add Samba 3 extension. Here you can set password expiration details, account deactivation and disabled details, home drive details and so on.
And finally click on the Set Password tab on the upper side and set the password for the new user and click Save.
Thats it. We have created users and groups now.

Testing Samba Domain controller

Now try to join the samba domain from windows client using the newly created user.
Enter your samba domain name in the Domain field and Click Ok.
Enter you samba user name and password which you have created in the earlier steps.
Oops!! Error !! You may get an error like as shown below if you have windows 7 client.“The specified domain either does not exist or could not be contacted”

Resolution 1:

To get rid of this error, Open the windows registry. Goto
HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services
-> LanmanWorkstation -> Parameters.
Create a new two DWORD values called “DomainCompatibilityMode” and “DNSNameResolutionRequired”. And set values for “DomainCompatibilityMode” as 1(one) and DNSNameResolutionRequired” as 0(zero).
Now try again to join to samba domain.
Again you may get an error like as shown below.“Logon failure: Unknown user name or bad password”
This means that we didn’t add and enable the samba users yet. Here is
the tip what i did to get rid of this error using the following
command.

Resolution 2:

Note: The command “smbpasswd -a username” is used to add a samba user and “smbpasswd -e username” is used to enable the samba user. Both are different commands, don’t get confuse.
Now let us try again. Now also i got an error like as shown below.“The join operation was not successful.This could be because
an existing computer account having name “admin-PC” was previously
created using a different set of credentials. Use a different computer
name or contact your system administrator to remove any stale
conflicting account. The error was:Access denied.”

Resolution 3:

Here it is what i did to solve the above error. Open the terminal and enter the following command.

Here senthil is my samba user name.
Let us try again to join to samba domain. Boom!! yes it worked now.
Restart the windows machine and you will able to login to samba domain now.Note: I don’t know why this too
much of difficulties to add a Windows 7 client to domain controller. If
anybody know a fix, share it in the comment section. The first time only
i did these resolutions to join to samba domain. For the rest of the
new users, it is not necessary to do all those resolutions. Simply i
created the users in LAM and it can join to the domain without any
problems. If i find a way around for this bug, i will update the same.